aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
11,195 Commits
7 Branches
155 Tags
194 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c1673908ac'
${ noResults }
Commit Graph

78 Commits (c1673908ac47449294fce3e028b3f8261f4e40f0)

Author SHA1 Message Date
Vadym Malakhatko a80f705d4b userguide: add documentation for Hassh usage 
1. Rules keywords
2. Json keywords
3. Usage in lua
4. Enabling in configuration file
 5 years ago
Frank Honza 1c8943dedd add RFB parser 
This commit adds support for the Remote Framebuffer Protocol (RFB) as
used, for example, by various VNC implementations. It targets the
official versions 3.3, 3.7 and 3.8 of the protocol and provides logging
for the RFB handshake communication for now. Logged events include
endpoint versions, details of the security (i.e. authentication)
exchange as well as metadata about the image transfer parameters.
Detection is enabled using keywords for:

 - rfb.name: Session name as sticky buffer
 - rfb.sectype: Security type, e.g. VNC-style challenge-response
 - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ...

The latter could be used, for example, to detect brute-force attempts
on open VNC servers, while the name could be used to map unwanted VNC
sessions to the desktop owners or machines.

We also ship example EVE-JSON output and keyword docs as part of the
Sphinx source for Suricata's RTD documentation.
 5 years ago
Jason Ish d3f6a95b56 doc: removed unified2 output 5 years ago
Victor Julien 411dd69e92 doc/eve: layout and formatting fixes 5 years ago
Jason Ish 718fcbb682 doc: document eve/dns v2 as the default 
Adds eve/dns v2 format documentation. Update legacy format
to require the version field.
 5 years ago
Jeff Lucovsky 17c3e22ecd doc/eve.alert: Expand metadata description 5 years ago
Jason Ish 0cd5452194 doc: mark independent json loggers as deprecated 
This is the loggers such as alert-json-log, dns-json-log, etc.
They are not even referenced in the default configuration file,
and are easily replaced with multiple eve instances.
 5 years ago
Jeff Lucovsky 44a59b78c7 doc/anomaly Remove event_no 5 years ago
Victor Julien df325d63ea doc/eve.anomaly: fix indent and general formatting 6 years ago
Jeff Lucovsky 075592b66f doc: Simplified anomaly configuration settings 6 years ago
Jeff Lucovsky aaacbf28c2 logging/anomaly: Support configuration filter types 6 years ago
Zach Kelly caef8b5b38 protocol parser: rdp 
Initial implementation of feature 2314:
1. Add protocol parser for RDP
2. Add transactions for RDP negotiation
3. Add eve logging of transactions
 6 years ago
Victor Julien 1bc738fbe4 doc: typo fixes 
By @espritlibre and @Zeal0us
 6 years ago
Jeff Lucovsky a66383569c userguide: formatting: remove tabs 6 years ago
Jeff Lucovsky c68510437f userguide: ftp formatting updates 6 years ago
Jeff Lucovsky 2149807bd6 eve/ftp: Transaction support for unmatched requests 
Modified transaction logic to create a new transaction with each
request; replies location transactions by using the oldest "open"
(unmatched) transaction or the last transaction if none are open.
 6 years ago
Jeff Lucovsky 1930b1f504 eve/ftp: Log FTP transactions 
This changeset includes changes that
1. Add transaction support to the FTP parser
2. Support eve json logging of FTP transactions
 6 years ago
Jeff Lucovsky 6cd39c5cfb userguide: Document app-layer anomaly items 
This changeset expands the anomaly section to include newly added
app-layer items.
 6 years ago
Eric Leblond dbf3606169 doc: document flow event_type 6 years ago
Mats Klepsland 800608ab65 userguide: add JA3S fields to the TLS logger documentation 6 years ago
Jeff Lucovsky 8a94b93b7b doc: Anomaly logging documentation 
This changeset adds discussion of anomaly log records and
the anomaly log record format.
 6 years ago
Pascal Delalande bde65467a9 doc: add ssh protocol in eve log section 6 years ago
Victor Julien c47164ebc8 doc: add table for custom values of eve/http 6 years ago
Maurizio Abba 6c0ec0b2f3 eve/http: add request/response http headers 
Add a keyword configuration dump-all-headers, with allowed values
{both, request, response}, dumping all HTTP headers in the eve-log http
object. Each header is a single object in the list request_headers
(response_headers) with the following notation:

{
    "name": <header name>,
    "value": <header value>
}

To avoid forged malicious headers, the header name size is capped at 256
bytes, the header value size at 2048.

By default, dump-all-headers is disabled.
 6 years ago
Victor Julien 473688746b doc/eve: add community id 6 years ago
Maurizio Abba bce7c2dd87 eve/http: add tx->request_port_number as http_port 
Add the port specified in the hostname (if any) to the http object in
eve. The port may be different from the dest_port used by the TCP flow.
 7 years ago
Chris Speidel 1e8959b465 doc: fix minor typo 7 years ago
Pascal Delalande 4f48927c44 doc: spelling mistakes in various sections of the user guide 7 years ago
Eric Leblond 0c4bf2d332 doc: add a lua support top level section 
Both output and signature are using lua. So lua functions should
be displayed in a single section.
 7 years ago
Eric Leblond 293b00798e doc: document lua TLS functions 7 years ago
Pascal Delalande e3c5784dd5 doc: minor updates (tls custom, TODO removal, ftp/smb file rules) 7 years ago
Victor Julien 83bf60d897 doc: add ntlmssp, kerberos and other setup fields 7 years ago
Richard Sailer dc07c1fe13 lua output doc: Use more descriptive variable names in the examples 
This also removes the "args" parameter of the hooking functions in the examples,
since this parameter is unused in all functions.
It would not be very helpful anyways since 3 of the 4 functions don't get passed
any parameters. The only exception is init() which gets a table containing:
  script_api_ver = 1
 7 years ago
Richard Sailer 3307f7a94e lua output doc: Add explaining introduction text 7 years ago
Victor Julien e09027915a doc: fix json formatting in smb doc 7 years ago
Victor Julien 67e81a9555 doc: initial smb eve documentation 7 years ago
Mats Klepsland 47a7ebbbc2 doc: add JA3 fields to the TLS logger documentation 7 years ago
Mats Klepsland fb0bfb614f doc: add documentation for Ja3GetString Lua function 7 years ago
Mats Klepsland 2514553098 doc: add documentation for Ja3GetHash Lua function 7 years ago
Giuseppe Longo fb66d45754 doc: introduce dns compact logging 7 years ago
Victor Julien 50a182194a eve: log pcap filename 7 years ago
Pascal Delalande 2e5b293afb doc: update eve json output for DNS and HTTP 7 years ago
Jason Ish 74e036d09f doc: update eve/alert/metadata configuration 7 years ago
Martin Natano fe9cac5870 eve/alert: include rule text in alert output 
For SIEM analysis it is often useful to refer to the actual rules to
find out why a specific alert has been triggered when the signature
message does not convey enough information.

Turn on the new rule flag to include the rule text in eve alert output.
The feature is turned off by default.

With a rule like this:

    alert dns $HOME_NET any -> 8.8.8.8 any (msg:"Google DNS server contacted"; sid:42;)

The eve alert output might look something like this (pretty-printed for
readability):

    {
      "timestamp": "2017-08-14T12:35:05.830812+0200",
      "flow_id": 1919856770919772,
      "in_iface": "eth0",
      "event_type": "alert",
      "src_ip": "10.20.30.40",
      "src_port": 50968,
      "dest_ip": "8.8.8.8",
      "dest_port": 53,
      "proto": "UDP",
      "alert": {
        "action": "allowed",
        "gid": 1,
        "signature_id": 42,
        "rev": 0,
        "signature": "Google DNS server contacted",
        "category": "",
        "severity": 3,
        "rule": "alert dns $HOME_NET any -> 8.8.8.8 any (msg:\"Google DNS server contacted\"; sid:43;)"
      },
      "app_proto": "dns",
      "flow": {
        "pkts_toserver": 1,
        "pkts_toclient": 0,
        "bytes_toserver": 81,
        "bytes_toclient": 0,
        "start": "2017-08-14T12:35:05.830812+0200"
      }
    }

Feature #2020
 7 years ago
Eric Leblond 72c8cd67d5 doc: documentation update on metadata 7 years ago
Jason Ish ab939f4aaa doc: breakout eve-log section to a partial file 
Both the suricata.yaml and eve configuration sections
included the eve-log section from suricata.yaml. First,
sync these up with the actual suricata.yaml then break
it out into its own file, so only one file needs to
be kept in sync with the actual configuration file.
 7 years ago
Pascal Delalande 80f2fbac6e rust/tftp: eve logging with rust 7 years ago
Pascal Delalande 0c99338e07 doc: update docs for DNS flags logging 7 years ago
Julian f27b4fc8fe redis: support for rpush in list mode 
This adds a new redis mode rpush. Also more consistent config keywords orientated at the redis command: lpush and publish.
Keeping list and channel config keywords for backwards compatibility
 8 years ago
Jason Ish 59d69666ea doc: add more details to log rotation doc 8 years ago